Researcher advises against use of Sophos antivirus on critical systems

Antivirus provider Sophos has fixed a variety of dangerous defects in its products that were discovered by a security researcher who is recommending many customers reconsider their decision to rely on the company.

"Sophos claim that their products are deployed throughout healthcare, government, finance, and even the military," Tavis Ormandy wrote in an e-mail posted to a public security forum. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."

A more detailed report that accompanied Ormandy's e-mail outlined a series of vulnerabilities that attackers can exploit remotely to gain complete control over computers running unpatched versions of the Sophos software. At least one of them requires no interaction on the part of a victim, opening the possibility of self-replicating attacks, as compromised machines in turn exploit other machines, he said. The researcher provided what he said was a working exploit against Sophos version 8.0.6 running Apple's OS X. Attackers could "easily" rewrite the code to work against unpatched Sophos products that run on the Windows or Linux operating systems, he said.

A post published to Sophos' Naked Security blog around the same time Ormandy released his report thanked the researcher for privately disclosing the vulnerabilities so they could be fixed before attackers have the knowledge required to exploit them.

"The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products," the post stated. "On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach."

The Sophos post detailed eight fixes that were released from 42 days to 55 days after Ormandy privately brought them to the attention of Sophos engineers. For his part, Ormandy concluded that the amount of time it took to release the patches was excessive.

"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he wrote. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos."

A security researcher at Google, Ormandy stressed that his report and comments were entirely his, and not those of his employer.

With marked improvements in the security of browsers and Adobe's Reader and Flash applications, it wouldn't be surprising for attackers, particularly well-funded ones targeting a specific corporation or government agency, to turn their attention to AV programs. The detailed interactions AV programs have with browsers and sensitive operating system regions means there's plenty of opportunity.

It's unclear if Ormandy has analyzed the security of other antivirus products so he can arrive at an assessment of how they compare to Sophos. He didn't respond to an e-mail seeking comment for this post.

I don't use the Sophos antivirus, but I recommend pointing your Facebook relatives to Sophos' Naked Security Facebook page. It updates with analysis of common Facebook (and non-Facebook) threats and scams. Got a few friends to follow it who appreciate being able to separate the scams from the real stuff now. So Sophos is still good to have around in some form.

42 days sounds extended, but potentially Sophos did the correct thing. Presumably, it went through a duplication, isolation, correction, and testing for each of the platforms before it could be released as an update to any. A critical bug fix in one platform's antivirus would simply be a bulletin board for parties targeting the other platforms.

Hence, to go full cycle on all platforms simultaneously AND have a robust testing period is reasonable for 40 days. They did not rush the fix out the door, which can lead to things like the recent Java security bug in the security bug fix. If the exploit is not in the wild, vendors have a bit more luxury to robustly test their software, improving everyone's lives.

That does not mean that they cannot move quickly when faced with a threat.

I don't use the antivirus, but I recommend pointing your Facebook relatives to Sophos' Naked Security Facebook page. It updates with analysis of common Facebook (and non-Facebook) threats and scams. Got a few friends to follow it who appreciate being able to separate the scams from the real stuff now. So Sophos is still good to have around in some form.

/inb4idontownafacebook

Huh? You are running Windows without anti-virus? You are self destructive.

And no one's unsophisticated relatives are going to read (and understand) anything about security on FB or elsewhere. Keep in mind that the vast, vast majority of Internet users world-wide are NOT techies.

At least download and install Microsoft Security Essentials. It's free and in my view is more likely to protect you than Sophos, Symantec, etc. Footnote: I'm been burned in the enterprise by Symantec once too often. Will never use a Symantec product again. Period.

Tavis - who is without doubt a very smart person - has a country sized chip on his shoulder following some unkind comments made about him a few years back on a Sophos blog.

Putting in some serious hours to uncover exploitable code within common security software - good thing. Spouting hyperbole about not installing the software on critical systems and having contingency plans to remove the software when a fixed exploit is used (!) - not such a good thing.

What exactly will most folk move to? Symantec, Kaspersky, McAfee, Trend or Microsoft AV software? Of course software from these vendors won't contain any exploitable vulnerabilities because they use the famous magic coding dust! When software has complex functionality there will always be enough attack surface to get an "in" if the attacker has enough time and resources to hand.

Having said all this is it good that a torch is being shone on the exploitability of AV agents - hell yes? Is it a shame that this obviously talented security researcher is only giving one vendor a kicking because of his personal grudge - yup.

I find that each of the known Virus brands have their own strengths and weaknesses. Many people who are in charge of sensitive systems know this and have many security tools in their toolbox to protect sensitive systems and usually don't depend solely on one form of protection or even one security vendor.

also from the story"The researcher provided what he said was a working exploit against Sophos version 8.0.6 running Apple's OS X"

Let us be frank here. I am a mac fan boy. I admit. Love them. But in reality when was the last time you head of any sensitive system running OSX?

Maybe Server 200x, A flavor of Unix, or A web server like Apache. A SQL database maybe.

But OSX?

Lets be real. A majority of OSX systems aren't even running any form of anti-virus at all.

Huh? You are running Windows without anti-virus? You are self destructive.

I'd rather run Windows without an anti-virus, WITH all current patches to all software installed and other best security practices than WITH an anti-virus without all the current patches and best practices.

Or to put it another way, I've removed viruses from (or reinstalled Windows on) many machines and every one of them had an anti-virus of some sort installed.

Huh? You are running Windows without anti-virus? You are self destructive.

I'd rather run Windows without an anti-virus, WITH all current patches to all software installed and other best security practices than WITH an anti-virus without all the current patches and best practices.

Or to put it another way, I've removed viruses from (or reinstalled Windows on) many machines and every one of them had an anti-virus of some sort installed.

That might work fine for you personally, but it doesn't work for a company with 2,000 windows PCs.

Huh? You are running Windows without anti-virus? You are self destructive.

I'd rather run Windows without an anti-virus, WITH all current patches to all software installed and other best security practices than WITH an anti-virus without all the current patches and best practices.

Or to put it another way, I've removed viruses from (or reinstalled Windows on) many machines and every one of them had an anti-virus of some sort installed.

No protection is perfect, but I would never use Windows without antivirus software or firewall.

Huh? You are running Windows without anti-virus? You are self destructive.

I'd rather run Windows without an anti-virus, WITH all current patches to all software installed and other best security practices than WITH an anti-virus without all the current patches and best practices.

Or to put it another way, I've removed viruses from (or reinstalled Windows on) many machines and every one of them had an anti-virus of some sort installed.

No protection is perfect, but I would never use Windows without antivirus software or firewall.

Nobody ever got fired for running an antivirus. You could either run one, and deal with it occasionally deleting corebusinesslogic.ocx while throwing popups about not getting definitions for the last 763 day(s), or collect all the blame should anything ever happen. As a bonus, any other IT problems can be put explained away as "a conflict with the antivirus", while you quietly mop up the real cause (hangover while editing group policy). An antivirus is a blame control system, and any admin worth anything knows that that's gold.

Huh? You are running Windows without anti-virus? You are self destructive.

I'd rather run Windows without an anti-virus, WITH all current patches to all software installed and other best security practices than WITH an anti-virus without all the current patches and best practices.

Or to put it another way, I've removed viruses from (or reinstalled Windows on) many machines and every one of them had an anti-virus of some sort installed.

That might work fine for you personally, but it doesn't work for a company with 2,000 windows PCs.

My experience is we have had more downtime and productivity loss from the anti-virus software itself than from actual viruses at our company.

Tavis - who is without doubt a very smart person - has a country sized chip on his shoulder following some unkind comments made about him a few years back on a Sophos blog.

....

Having said all this is it good that a torch is being shone on the exploitability of AV agents - hell yes? Is it a shame that this obviously talented security researcher is only giving one vendor a kicking because of his personal grudge - yup.

Seems that I remember there was some controversy surrounding the way he disclosed a bug in the 16 bit subsystem in windows xp a few years back as well.

Maybe he should stick to making awesome QNX Photon-like FVWM configurations after uncovering security holes and leave the press releases to someone else.

No antivirus is perfect. Definitions need to be updated, zero-day exploits won't be stopped, etc. etc. but having nothing helping you is a really bad idea. No reason when you can get free products like MSE that do their job while having negligible impact.

DarthShiv wrote:

My experience is we have had more downtime and productivity loss from the anti-virus software itself than from actual viruses at our company.

Maybe you haven't had more losses from viruses because you run antivirus? There's usually configuration changes you can make to help issues like that - eg. folders/filetypes to ignore for realtime scanning. That alone made a huge difference at my old company (programmers).

I run at home and work without active virus protection. I'm happy to take full responsibility for my machine being infected. Periodically run one off scans for sanity checking. Never had an infection. I run a 3rd party firewall with full comms logging, non-IE browser, disable javascript and flash for non-trusted sites, patch regularly, don't open suspicious files and don't have writable file shares. Also use UAC, disable legacy SMB, large administrative passwords.

Maybe average Joe needs a decent AV but I don't think one exists and I don't need it. I don't need an AV to tell me what software I can and cannot run either. Most block legitimate software like IP scanners which I *do* use for testing my own network.

And let's put it this way... if an AV company knows an exploit, so does MS/<insert OS manufacturer here> and I'm going to trust MS/OS Manufacturer to patch the exploit more than trust the AV to clean an infection.

VideoGameTech wrote:

There's usually configuration changes you can make to help issues like that - eg. folders/filetypes to ignore for realtime scanning. That alone made a huge difference at my old company (programmers).

Yes, definitely agree there. We are in the same boat. Our build machines were crippled without these exceptions.

I don't use the antivirus, but I recommend pointing your Facebook relatives to Sophos' Naked Security Facebook page. It updates with analysis of common Facebook (and non-Facebook) threats and scams. Got a few friends to follow it who appreciate being able to separate the scams from the real stuff now. So Sophos is still good to have around in some form.

/inb4idontownafacebook

Huh? You are running Windows without anti-virus? You are self destructive.

And no one's unsophisticated relatives are going to read (and understand) anything about security on FB or elsewhere. Keep in mind that the vast, vast majority of Internet users world-wide are NOT techies.

At least download and install Microsoft Security Essentials. It's free and in my view is more likely to protect you than Sophos, Symantec, etc. Footnote: I'm been burned in the enterprise by Symantec once too often. Will never use a Symantec product again. Period.

I have not used antivirus on my Windows pc in over 8 years. I started not using it as soon as I learned that the best antivirus is myself. I do occasionally download and install an antivirus to check on things, but it always confirms what I believe, smart practices are your first and best line of defense against the dreaded computer virus.

Also worth mentioning is the fact that I never click any ads, and I never believe anything is free.

I just remembered this and thought I would add it, the only time my personal information was stolen and there was an attempt to use it was due to buying something online from a work computer. That work computer also had antivirus software installed on it.

I had to work with Sophos on a relative's fairly small, fairly un-cluttered hard drive. The phrase "agonizingly slow" comes to mind. I don't know if that's typical of Sophos - it was just that one time - but like putting your hand on a hot stove, that one time was painful enough to make me swear off of Sophos forever.

We use Sophos at work (a secondary school), can't really fault its detection rate but it does suck a bit on the performance side of things - it's not Norton bad, but it's frustrating, and very much so if you happen to encounter it on a server. The enterprise features are lacking in places, deployment is clunky (no msi, it's 2012...?) but it essentially works.

Except when Sophos releases a new def that false-positives and quarantines effectively half the executables on your hard disk, *including its own update exe*. If you had a policy set to delete malicious exes as they were found, Sophos basically ate itself and would not update.

They actually did this a few weeks back and left admins everywhere scrambling to sort the problem and redeploy where necessary.

We were "lucky" in that most of our machines are on one site and physical access to the boxes is fairly trivial. I "only" had to waste 3-4 days on it. Pretty jaw-dropping stuff that they even managed to let that one through QC. Although we still have to use their AV at the moment that incident has really eroded any illusion I had that Sophos really knows what it is doing.

My experience is we have had more downtime and productivity loss from the anti-virus software itself than from actual viruses at our company.

Better the devil you know?

Or, stated another way, your company that uses anti-virus software has not had a significant problem with actual viruses?

We did have a problem with shared folders having .exe's infected. The virus scanner being used was useless there (definitions were up to date - it just didn't do the job). Machines that were configured well (e.g. not having "everyone" given read/write access) and patched were not affected. Ironically one of the people affected by the virus was the network administrator who had to rebuild their machine.

I put a lot more faith in decent security patching administration and practices.

I had to work with Sophos on a relative's fairly small, fairly un-cluttered hard drive. The phrase "agonizingly slow" comes to mind. I don't know if that's typical of Sophos - it was just that one time - but like putting your hand on a hot stove, that one time was painful enough to make me swear off of Sophos forever.

There's a reason it's referred to as "slowphos" at shops that run its products. The safeguard encryption takes more time to load at bootup than the OS itself (win7 enterprise 32bit) takes to boot up. How sad is that?

I run msse on my dev box and haven't had any false positives. Our shop was one of those hit by sophos' recent false positive, but thankfully we were able to use altiris to push a fix since sophos had quarantined itself. Reminded me of when mcafee shut down a bunch of companies with a bad update that ate ntldr or something similar that windows needed to boot.

I haven't read the press release, but agree that no software is ever 100% secure. But i also don't particularly care for sophos.